Feeds

Airline security critic raided by Feds

Don't even joke about it

Build a business case: developing custom apps

Indiana University graduate student Christopher Soghoian pointed out a flaw in airline security by posting a fake boarding pass generator online, and was rewarded with a visit from FBI agents with a search warrant.

The FBI raided his residence on Saturday, only days after the student posted a PHP script enabling anyone to print a boarding pass for Northwest Airlines.

It's unlikely that a fake pass would enable someone to board a flight they hadn't paid for, but it would suffice to get one into the "secure" area of an airport. Soghoian's example passes would fail at the gate when read electronically. Still, they would likely not be challenged until that point.

The trick involved is not new; indeed, it was publicised by Slate magazine in February 2005. Creating a script enabling any fool to generate a pass was Soghoian's contribution.

The Feds apparently considered this to be going a step further than providing information that's already available, and interpreted it as encouraging bad behaviour, even though Soghoian was clear about the fact that his example passes would not enable one to fly for free. They only demonstrated how easily people on the no-fly lists could find themselves wandering about an airport, if, for example, they were too lazy to get an ID and credit card issued under a different name.

Which brings us to the observation that, yes, airport security is crap, just as Soghoian's pass generator and the Slate article illustrate, and no, it really doesn't matter if people can print their own boarding passes, and even edit them.

In the five years since 9/11, the TSA has failed to catch a single terrorist, and it isn't because they're printing boarding passes. It's because the entire idea of setting up checkpoints at widely-publicised locations and waiting for terrorists to turn up and get caught is idiotic. Those who might be recognised visually aren't flying commercially.

The rest are simply declining to participate as well, or are travelling with authentic, government-issued passports and working credit cards obtained fraudulently - which is hardly more challenging than editing a boarding pass, but pays far better dividends, like actually being permitted to travel.

We note that US Representative Edward Markey (Democrat, Massachusetts) overreacted wildly to news of Soghoian's pass generator and called for his immediate arrest.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey exclaimed.

He later retracted that bit of political theatre: "Subsequently, I learned that the person responsible...intended to provide a public service by warning that this long-standing loophole could be easily exploited." Markey concluded that: "The Department of Homeland Security should put [Soghoian] to work showing public officials how easily our security can be compromised."

Markey is a member of the House Homeland Security Committee. With the midterm elections approaching, he's naturally eager to show the world that Democrats are just as security-savvy as Republicans claim to be. But he gets it wrong both times. He overstates the risk in the first place, and in the second place overestimates Soghoian's "contribution" to airline security in pointing out a minor flaw that's been known for years.

But so long as security remains a political football, this is the sort of rubbish we will have to listen to (The Register does commend Markey for not waiting until after the election to issue the retraction, as many others in his position would have done).

The homemade boarding pass is no big deal. The risk is minor, and it's mitigated somewhat by the fact that the passes issued by the airlines at check in, where ID is required, look different. This is by design, to give the TSA an opportunity to exercise a bit more care when screening passengers in possession of boarding passes obtained otherwise.

And yes, it would not be terribly difficult to make a facsimile of an airline-issued pass to escape extra scrutiny, but we have to point out that the real threat is undesirable travellers with false identities, proffering authentic travel documents. That's the right way to beat the system, and it's easy. No terrorist worth his salt is going to waste time Photoshopping boarding passes.

In the movies, the scoundrels always have a guy who does counterfeit passports. He's always eccentric, and strangely heliophobic for someone who does close work, but he's invariably a world-class artist. The counterfeits cost thousands of dollars and take several days.

In the real world, with a fake birth certificate, you can get a genuine passport in 24 hours for less than $200. Of course, movies wouldn't be as much fun if we kept that in mind. But when we're doing security, it's wise to remain clear on the differences between Hollywood and reality.

Meanwhile, we hope that Soghoian isn't destined to spend several years in prison for pointing out a security flaw that, ultimately, is irrelevant. ®

Next gen security for virtualised datacentres

More from The Register

next story
Microsoft exits climate denier lobby group
ALEC will have to do without Redmond, it seems
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.